The U.S. Cyber Command (USCYBERCOM) has uploaded new malware samples to VirusTotal, all of which the Command has attributed to the North Korea-linked threat group Lazarus.
The samples were added to the scanning engine as part of a project that USCYBERCOM’s Cyber National Mission Force (CNMF) that kicked off in November 2018. Previously released malicious files have been attributed to state-sponsored hacking groups operating out of North Korea, Russia, and Iran.
In September 2019, 11 malware samples that were shared to the popular malware scanning engine were attributed to Lazarus, a cluster of activity that the U.S. refers to as “Hidden Cobra”
USCYBERCOM has now added 6 new samples linked to the same government-backed hacking group. Two of the new samples appear to have been created in the summer of 2019, two in February 2018, one in September 2017, and one in October 2016.
The malware, USCYBERCOM says, is currently used for phishing and remote access, to facilitate the hacking group’s illegal activities, steal funds, and evade sanctions.
Given that some of these samples are rather old, they are already broadly detected by the anti-malware companies in VirusTotal. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published Malware Analysis Reports for each of these samples
Called ARTFULPIE, the first piece of malware is an implant designed to fetch a DLL from a hardcoded URL, load it in-memory, and execute it. The second is HOTCROISSANT, a full-featured beaconing implant that can fingerprint the system, download and upload files, execute processes and commands, and capture screenshots.
CROWDEDFLOUNDER can unpack and execute a Remote Access Trojan (RAT) binary in memory and can listen as a proxy for commands or connect to a remote server to receive commands. SLICKSHOES is a beaconing implant that can harvest system information, download/upload files, execute commands, and take screenshots.
Next in line is BISTROMATH, a full-featured RAT that can gather system data, upload/download files, run commands, and monitor the microphone, clipboard, and the screen. Finally, BUFFETLINE is a full-featured beaconing implant that can download, upload, delete, and execute files; create and remove processes; perform targeted system enumeration; and enable Windows CLI access.
In addition to these reports, CISA updated their report on the HOPLIGHT remote access Trojan (RAT), a threat that some anti-malware companies on VirusTotal detect as a variant of the NukeSped RAT due to code similarities.
Other newly released samples have also been detected as variants of NukeSped. Given the extent of the malicious operations associated with Hidden Cobra, it’s unsurprising that there are code similarities that link the numerous malware variants used by the group.